PREPARED

BY:
APPROVED
BY:
Assigned

Sec.

A
A

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

Audit Step

Date

Ref.

Initials

SYSTEMS UNDERSTANDING
1.0

Organization
Objective: To ensure that the audit team has a clear understanding of the delineation of
responsibilities for system administration and maintenance.

1.1

Determine who is responsible for systems administration and maintenance. Obtain

a current organization chart if available.

2.0

Hardware Platforms
Objective: To ensure that the audit team has a clear understanding of the hardware
platforms subject to review and to obtain the necessary information for identifying
critical systems throughout the processing environment.

2.1

2.2

2.3

Obtain an understanding of the server infrastructure at the site under review:

Request a complete server inventory. If an inventory is not available, obtain
an understanding of the server environment through discussions with the
system administrator(s).

If a server inventory is unavailable, meet with systems administration
personnel and tour the facility to identify all servers and collect information
regarding each server.

At a minimum, obtain the following information for each server included in
the scope of the review:

Server name

Manufacturer and model

Purpose / function of each server

Owner

Enterprise supported

Responsible systems administrator

Identify the key servers that support business applications.
Obtain an understanding of the peripherals in the environment (i.e., printers,
shared disks, etc.).
Determine if there are known problems with servers in the environment.

3.0

Operating System
Objective: To ensure that the audit team has a clear understanding of the operating
system included in the scope of the review. Furthermore, to ensure that known
vulnerabilities associated with specific operating system versions are considered during
the audit to ensure that all exposures are identified.

3.1

3.2

3.3

3.4

3.5

Ascertain which version(s) of the operating system are running on the servers
included in the scope of the audit.
Determine if the most current version of the operating system is installed. If not,
evaluate the justification for why the most current version is not installed.
Ascertain whether all known operating system fixes have been installed. If not,
evaluate the justification for why available fixes have not been installed.
Determine if procedures are in place to ensure that system administration
personnel are informed of available operating system fixes in a timely manner.
Determine if third-party security software is running on the servers.

4.0

Network Overview
Objective: To ensure that the audit team has a clear understanding of network
components and interfaces which may impact the logical security of specific servers and
workstations.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 1

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

Sub-Sec.

4.1

B
B

1.0

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Audit Step

Date

Ref.

Initials

Obtain an understanding of the network environment at the site under review.

(NOTE: Determine if audit professionals responsible for network security have
documentation regarding the network environment before initiating discussions
with system administrators).

SECURITY MANAGMENT
Roles & Responsibilities
Objective: To ensure that roles and responsibilities for security management have been
clearly and appropriately defined.

1.1

1.2

2.0

Determine who is responsible for ensuring that the processing environment is in

compliance with applicable corporate security policies and standards.
Determine whether or not appropriate systems and security administration
personnel are involved in defining corporate security policies and standards to
ensure the applicability of the policies and standards throughout the processing
environment.

Corporate Security Policies & Standards

Objective: To ensure that existing corporate security policies and standards have been
communicated. Furthermore, to ensure that existing policies and standards are
applicable throughout the processing environment and that all systems are in compliance
with appropriate policies and standards.

2.1

2.2

2.3

3.0

Determine if existing corporate security policies and standards are applicable to

the environment under review.
Determine if security administration personnel are aware of relevant corporate
security policies and standards for the operating environment under review.
Identify the procedures in place to ensure compliance with relevant corporate
security policies and standards.

Security Awareness & Training

Objective: To ensure that end-users are aware of appropriate corporate security policies
and standards and are informed of their individual responsibilities relative to ensuring a
secure processing environment.

3.1

3.2

3.3

3.4

C
C

1.0

Determine if a process is in place to ensure that all systems and security

administration personnel are informed of all relevant corporate security policies
and standards.
Determine if a process is in place to ensure that all new employees are informed of
corporate security policies and standards.
Determine if a security awareness program is in place to ensure that end-users are
periodically informed of corporate security policies and standards to ensure that
they are aware of their individual responsibilities relative to security.
.
Determine if processes are in place to ensure that individuals with security
administration responsibilities are kept informed of key security advisories (i.e.,
CERT, CIAC, etc.) and issues related to installed operating systems.

SECURITY ADMINISTRATION
Roles & Responsibilities
Objective: To ensure that roles and responsibilities for security administration have been
clearly and appropriately defined.

1.1

Determine if the role and responsibilities of Security Administrator have been

formally defined and documented.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 2

PREPARED
BY:
APPROVED
BY:
Assigned

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sec.

Sub-Sec.

1.2

Determine if individuals with security administration responsibilities are dedicated

to security administration on a full-time basis? If security administration is a parttime responsibility, determine if the individuals with security administration
responsibilities have other responsibilities that are incompatible with the security
administration function.

2.0

Staffing

Audit Step

Date

Ref.

Initials

Objective: To ensure that appropriate processes are in place to ensure that individuals
with security administration responsibilities are qualified to complete defined security
administration tasks.

2.1

2.2

2.3

2.4

Evaluate the hiring process for system and security administration personnel.
Specifically, determine if:

written job descriptions exist for system and security administrators,

a process is in place to ensure that prospective employee are appropriately
qualified, and

prospective employee skills are adequately assessed prior to employment.
Determine if security administration personnel have been adequately trained to
support the technology that they are responsible for.
Ascertain if backup system and security administration personnel have been
identified to provide systems support in the event that the primary administrator(s)
are unavailable.
Determine if vendors / contractors have security administration responsibilities.

3.0

Security Administration Procedures

Objective: To ensure that security administration responsibilities and activities have been
adequately defined and documented to support the security administration function and
to ensure that appropriate documentation is available to facilitate training processes for
new administrators.

3.1

C
C

3.2
3.3

C
C

3.4
3.5

D
D

Determine if documented procedures exist to support the security administration

function and to facilitate the training process for new employees.
If documented procedures exist, ascertain if the documentation is up to date.
If documented procedures exist, evaluate the documentation and determine
whether the documentation is adequate to provide guidance in the event that
primary security administration personnel become unavailable.
Evaluate the use of third-party tools to complete security administration activities.
Determine if in-house developed automated processes (e.g., scripts) are used to
complete security administration activities. Ensure that:

Script files are secured.

Documentation has been prepared to support these processes.

SYSTEM CONFIGURATION
1.0

Servers
Objective: To ensure that adequate controls are in place over the installation and
configuration of server hardware.

1.1

1.2

1.3

Determine if formal policies and standards exist for the installation and
configuration of server hardware.
Determine if documented procedures / checklists exist to support the server
installation process.
Determine if processes are in place to ensure that server installations are in
compliance with applicable policies and standards.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 3

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

Audit Step

Date

Ref.

Initials

NOTE: If reliance is placed on third-party security systems (e.g., TopSecret) to

control system level security, refer to sections D 6.0 through D 8.0.
D 2.0 Operating System Configuration - Policies & Standards
Objective: To ensure that operating system installations and upgrades are configured in
compliance with appropriate security and configuration policies and standards.

2.1

2.2

2.3

3.0

Determine if formal policies and standards exist for the configuration of the
operating system under review.
If policies and standards exist, identify which of these policies and standards are
applicable to the environment under review.
Determine if procedures are in place to ensure compliance with applicable policies
and standards throughout the configuration process for operating system
installations and upgrades.

Operating System Configuration - Configuration Process

Objective: To ensure that adequate controls are in place over the configuration of
operating system installations and upgrades.

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

4.0

Ensure that the operating system installation / upgrade process is subject to

corporate change management guidelines. No further testing of controls over
systems software maintenance is necessary as these controls are addressed in the
change management audit programs.
Determine if documented procedures / checklists exist to support the configuration
of system security parameters during the operating system installation / upgrade
process.
Determine if standard operating system configuration images are maintained to
ensure the consistency of all operating system configuration efforts.
Determine if all operating system security configurations are appropriately
authorized as well as adequately reviewed and approved by appropriate
management prior to being introduced into the production environment.
Determine if adequate records are maintained to document all modifications and
fixes to operating system security.
Ensure that operating system configuration procedures include steps to ensure
compliance with all relevant corporate policies and standards.
Ensure that appropriate records are maintained to document all deviations from
relevant corporate policies and standards.
Determine if operating system configuration policies and standards require that

all vendor supplied default passwords for predefined system accounts are
changed immediately upon installation or upgrade,

all unneeded vendor supplied system accounts are disabled or deleted, and

all passwords for privileged system accounts are assigned to appropriate
system / security administration personnel.

Operating System Configuration - System Security Parameters

Objective: To ensure that existing operating system security parameters are configured
to secure settings and are in compliance with best practices and relevant corporate
policies and standards.

4.1

4.2

Review relevant corporate policies and standards for the operating system under
review. Tailor this audit program to ensure that audit procedures are designed to
ensure that operating system configuration settings are in compliance with those
policies and standards.
Evaluate existing best practices for the configuration of operating system security
parameters. Tailor this audit program to ensure that applicable best practices are
considered in the audit approach.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 4

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

Sub-Sec.

4.3

4.3.1

4.3.2

4.3.3

D
D

4.3.4
4.3.5

4.3.6

D
D

4.3.7
4.3.8

5.0

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Audit Step

Date

Ref.

Initials

Evaluate current operating system configuration settings to ensure that the settings
are in compliance with relevant corporate policies and standards and conform to
best practices.
Ensure that all default passwords for predefined system accounts have been
changed.
Determine if the configurations for predefined system account profiles have
been changed from the vendor settings. If so, determine why and evaluate the
effect of the changes on system security.
Determine if the configurations for predefined group profiles have been
changed from the vendor settings. If so, determine why and evaluate the effect
of the changes on system security.
Ensure that all guest accounts have been disabled or removed from the system.
Ensure that the assigned passwords for super-user accounts are known by
appropriate system / security administration personnel only.
Ensure that all defined system services have been approved and are in
compliance with relevant configuration policies and standards.
Ensure that all systems services are configured to appropriate system ports.
Ensure that processes are in place to prevent the operating system from being
booted with unauthorized configuration settings.

System Utilities
Objective: To ensure that adequate controls are in place over the use of sensitive system
utilities.

5.1

5.2

5.3

5.4

Evaluate procedures in place to restrict access to powerful and sensitive system

utilities.
Identify those installed utilities that have the ability to bypass system level
security.
Determine if any scripts, command procedures, or applications have been
developed which have the ability to bypass system security.
Identify the accounts and groups with access to system utilities. Ensure that the
number of users with access to these utilities is reasonable and appropriate based
upon the users job function.

NOTE: Sections D 6.0 through D 8.0 are only applicable if third-party security
systems are installed and relied upon my management to control system level
access (e.g., TopSecret).
D 6.0 Security System Configuration - Policies & Standards
Objective: To ensure that third-party security system installations and upgrades are
configured in compliance with appropriate security and configuration policies and
standards.

6.1

6.2

6.3

7.0

Determine if formal policies and standards exist for the configuration of the thirdparty security system under review.
If policies and standards exist, identify which of these policies and standards are
applicable to the environment under review.
Determine if procedures are in place to ensure compliance with applicable policies
and standards throughout the configuration process for security system
installations and upgrades.

Security System Configuration - Configuration Process

Objective: To ensure that adequate controls are in place over the configuration of thirdparty security system installations and upgrades.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 5

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

Sub-Sec.

7.1

7.2

7.3

7.4

7.5

7.6

7.7

7.8

8.0

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Audit Step

Date

Ref.

Initials

Ensure that the security system installation / upgrade process is subject to

corporate change management guidelines. No further testing of controls over
systems software maintenance is necessary as these controls are addressed in the
change management audit programs.
Determine if documented procedures / checklists exist to support the configuration
of the security system parameters during the installation / upgrade process.
Determine if standard configuration images are maintained to ensure the
consistency of all configuration efforts for the security system under review.
Determine if all security system configurations are appropriately authorized as
well as adequately reviewed and approved by appropriate management prior to
being introduced into the production environment.
Determine if adequate records are maintained to document all modifications and
fixes to third-party security systems.
Ensure that configuration procedures include steps to ensure compliance with all
relevant corporate policies and standards.
Ensure that appropriate records are maintained to document all deviations from
relevant corporate policies and standards.
Determine if security system configuration policies and standards require that

all vendor supplied default passwords for predefined system accounts are
changed immediately upon installation or upgrade,

all unneeded vendor supplied system accounts are disabled or deleted, and

all passwords for privileged system accounts are assigned to appropriate
system / security administration personnel.

Security System Configuration - System Security Parameters

Objective: To ensure that existing parameters for third-party security systems are
configured to secure settings and are in compliance with best practices and relevant
corporate policies and standards.

8.1

8.2

8.3

D
D
D

8.3.1
8.3.2
8.3.3

8.3.4

8.3.5

8.3.6

D
D

8.3.7
8.3.8

Review relevant corporate policies and standards for the security system under
review. Tailor this audit program to ensure that audit procedures are designed to
ensure that third-party security system configuration settings are in compliance
with those policies and standards.
Evaluate existing best practices for the logical system security. Tailor this audit
program to ensure that applicable best practices are considered in the audit
approach.
Evaluate current third-party security system configuration settings to ensure that
the settings are in compliance with relevant corporate policies and standards and
conform to best practices.
Ensure that all default passwords for predefined accounts have been changed.
Ensure that ownership of all predefined accounts is documented.
Determine if the configurations for predefined system account profiles have
been changed from the vendor settings. If so, determine why and evaluate the
effect of the changes on system security.
Determine if the configurations for predefined group profiles have been
changed from the vendor settings. If so, determine why and evaluate the effect
of the changes on system security.
Ensure that the assigned passwords for super-user accounts are known by
appropriate system / security administration personnel only.
Ensure that all defined system services have been approved and are in
compliance with relevant configuration policies and standards.
Ensure that all systems services are appropriately configured.
Ensure that processes are in place to prevent the system from being booted /
IPLed with unauthorized security system configuration settings.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 6

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

E
E

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

1.0

Audit Step

Date

Ref.

Initials

ACCESS CONTROLS
Account Management
Objective: To ensure that appropriate controls are in place over the system level account
management process.

1.1

1.2

1.3

1.3.1

1.3.2

1.4

Meet with security administration personnel to obtain an understanding of the

account management process. Consider:

Are system / security administrators aware of relevant corporate policies and
standards regarding user account management?

Have formal account management procedures been developed?

Are formal procedures in place over the creation of new user accounts?

Are formal procedures in place over the modification of existing
accounts?

Are formal procedures in place to ensure that system level accounts are
disabled and/or removed promptly for terminated employees?

Are formal procedures in place to ensure that user access rights are
appropriately reviewed and modified for transferred employees?

Are third-party automated tools utilized?

Are in-house developed scripts utilized?

Are all new system level accounts authorized by appropriate management
before creation?

Is appropriate documentation maintained to support the authorization of all
system level accounts?

Are user account templates used to set-up new accounts or does the security /
system administrator set-up each account from scratch?

Do all system level IDs follow a consistent naming convention?

Are all account IDs unique?

Does the Human Resources department provide security administration
personnel with periodic reports of terminated and transferred employees?

Are periodic reviews of user access rights completed by appropriate
management to ensure that access rights remain commensurate with user job
responsibilities?

Have the systems been configured to automatically disable accounts that
have been inactive for an excessive time period (e.g., 90 days)?
If available, review documented procedures in place to support user account
management activities.
Request a listing of all system accounts from the responsible security / systems
administrator.
Review the system account listing and determine if all IDs follow a consistent
naming convention and comply with existing standards.
Determine if any accounts exist which have been inactive for over 90 days and
have not been disabled.
Request a report that summarizes all terminations that have occurred with the last
three months. Verify that the accounts for all terminated employees have been
disabled or removed from the systems.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 7

PREPARED
BY:
APPROVED
BY:
Assigned

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sec.

Sub-Sec.

1.5

Judgmentally select a sample of accounts from the account listing requested in step
E 1.3 and review the following:

Are all account IDs unique and in compliance with existing naming
conventions?

Is appropriate documentation available to support the authorization of each
account and the approval of all access rights and privileges granted to each
account?

Is documentation available which supports periodic reviews of user access
rights?

2.0

Password Management

Audit Step

Date

Ref.

Initials

Objective: To ensure that the system has been configured to facilitate the use of secure
passwords to prevent unauthorized access to critical applications, data and system
resources.

2.1

2.2

3.0

Meet with security administration personnel to obtain an understanding of the

password management controls. Consider:

Are security / system administration personnel aware of relevant policies and
standards in place over the configuration of password management controls?

Have the systems been configured to authenticate all users through a valid
ID and password?

Is a unique initial password assigned to all new accounts upon creation?

Are the initial passwords assigned to all new accounts set as pre-expired,
requiring the user to change the password upon the initial logon?

Have the systems been configured to enforce restrictions on password syntax
and use?

Are password dictionaries used?

Are passwords hard-coded within scripts, batch files, or applications?
Request appropriate reports from the security / system administrator which display
current password management configurations and ensure the following:

Current configurations are in compliance with relevant corporate policies
and standards.

Appropriate restrictions are in place over password syntax as required by
relevant corporate policies and standards:

Minimum password length (e.g., 6 characters end users; 8 characters
systems personnel and privileged accounts).

Restrictions on password syntax (i.e., limit repeating characters,
restrict special characters, etc.).

Password lifetimes (e.g., 30 days for privileged accounts; 60 days for
end user accounts).

Restrictions on the ability to re-use passwords (i.e., password
histories maintained).

Appropriate controls are in place to limit the number of invalid access
attempts allowed before an account is locked or disabled (e.g., 3 invalid
attempts allowed prior to the system taking evasive action).

User Profile Configurations

Objective: To ensure that adequate controls are in place over the configuration of user
profiles to ensure that user access rights are commensurate with users job
responsibilities.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 8

PREPARED
BY:
APPROVED
BY:
Assigned

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sec.

Sub-Sec.

3.1

Meet with security administration personnel to obtain an understanding of the

controls over the configuration of user profiles. Consider:

Are standards in place over the configuration of user profiles?

Are privileges and access rights granted to individual user accounts or are
they granted to groups and then allocated to users by assigning users to those
groups?

Have standard access definitions been established by job function or service
(product)?

How are user profiles established?
 Are user profile templates used to create new user profiles?
 Are existing profiles copied and modified to create a new profile?
 Are all new user profiles created from scratch?

Are user profiles configured to ensure that users are restricted to appropriate
applications and menus?

Are users restricted from accessing the operating system command line in the
production environment?

Are time restrictions placed on the use of the accounts?

Are station restrictions placed on the use of the accounts?

3.2

3.2.1

Select a sample of accounts from the system account listing requested in step E
1.3.
Review the current configurations of user profiles for each of the accounts
included in the sample:

Ensure that the user profiles are configured securely and comply with
applicable corporate policies and standards.

Ensure that the access rights and privileges assigned to each user are
commensurate with the users job responsibilities.

If login scripts are used, ensure that the login scripts are appropriately
secured.

Ensure that the home directory for each account is properly referenced
and secured.

Ensure that the account has not been inactive for an unreasonable time
period (e.g., greater than 90 days).

4.0

Audit Step

Date

Ref.

Initials

Group Profile Configurations

Objective: To ensure that adequate controls are in place over the configuration of group
profiles to ensure that access rights for users assigned to the group profiles are
commensurate with users job responsibilities.

4.1

4.2
4.2.1

Meet with security administration personnel to obtain an understanding of the

controls over the configuration of group profiles. Consider:

Are standards in place over the configuration of group profiles?

Have standard group access definitions been established by job function or
service (product)?

How are group profiles established?

Are default vendor supplied group profiles used?

Are group profiles configured to ensure that users are restricted to
appropriate applications and menus?

Are the access rights assigned to group profiles reviewed and approved by
appropriate management?
Request a report from the security / systems administrator which lists all group
profiles existing on the systems.
Select a sample of group profiles for review.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 9

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

4.2.2

5.0

Audit Step

Date

Ref.

Initials

Review the current configurations of each group profile included in the sample:

Obtain an understanding of the purpose of each group profile.

Ensure that the group profiles are configured securely and comply with
applicable corporate policies and standards.

Review the access rights and privileges provided by the group profiles
and ensure that the access rights and privileges are reasonable based upon
the purpose of the profile (i.e., is there an issue regarding segregation of
functions, etc.).

Ensure that the user accounts assigned to each group profile are
appropriate? Are the access rights and privileges provided to the user by
the group profile commensurate with each users job responsibilities?

Privileged Accounts
Objective: To ensure that adequate controls are in place over the authorization,
ownership, and use of sensitive super-user accounts.

5.1

5.2

5.2.1

5.3

Meet with security administration personnel to obtain an understanding of the

controls in place over privileged system level accounts. Consider:

Are standards in place over the assignment and use of privileged accounts?

Have superuser IDs been established to provide technical support staff with a
means to address immediate, emergency platform problems?

Is the number of users with privileged access appropriately limited?

Are the passwords for super-user accounts (i.e., root - UNIX; Administrator
- NT; etc.) unique to each server?

Do administrators login directly to super-user accounts (i.e., root - UNIX;
Administrator - NT; etc.) or are administrators assigned the necessary
privileges to complete system and security administration tasks utilizing their
own unique accounts?

Do administrators login to their own unique accounts with administrative
rights only when necessary to perform actions requiring those rights. At all
other times do the administrators log on with unique accounts that have been
granted fewer rights?

Are privileged user access rights reviewed on a regular basis by user
management (e.g., minimum quarterly review)?
Request a report from the systems / security administrator that lists all privileged
accounts existing on the systems.
Review the report of privileged accounts:

Is the number of privileged accounts reasonable based upon the size of
the environment?

Do the privileges assigned to these accounts appear appropriate?

Does documentation exist to support the authorization of each account
and the approval of all privileges assigned to each account?

Are appropriate controls in place over the use of privileged predefined
accounts supplied by the vendor (i.e., Administrator - NT; root - UNIX)?
Is the use of these accounts appropriately monitored?

Do generic account IDs exist for any of the privileged accounts? If so,
determine how management ensures accountability over the use of these
generic accounts.

Ensure that all privileged accounts are active and are not associated with
a terminated employee.
Request a report from the systems / security administrator that lists all privileged
groups and the accounts assigned to those groups.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 10

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

5.3.1

6.0

Audit Step

Date

Ref.

Initials

Review the report of privileged groups:

Evaluate the purpose of each privileged group.

Based upon the purpose of each group, determine if the number of
accounts assigned to each group appears reasonable.

Does documentation exist to support the authorization of each account
assigned to each privileged group?

Ensure that all accounts assigned to each privileged group are active and
are not associated with a terminated employee.

Special User Accounts

Objective: To ensure that appropriate controls are in place over the authorization,
ownership, and use of unique special user accounts.

6.1

6.2

7.0

Meet with security administration personnel to obtain an understanding of the

controls in place over special user accounts:

Are standards in place over the assignment and use of special user accounts?

Are restrictions placed on accounts provided to contractors and temporary
workers (i.e., time restrictions, etc.)?

Are special developer accounts provided to developers to diagnose
application problems in the production environment? Is access to production
environment read only?

Are emergency IDs created to perform emergency systems maintenance?
Evaluate the controls in place over the establishment and use of special user
accounts.

Logon / Logoff Processes

Objective: To ensure that appropriate controls are in place over the logon and logoff
processes.

7.1

7.2

7.3

7.4

7.5

7.6

7.7

8.0

Determine if the systems have been configured to lock accounts after a specified
number of invalid logon attempts (e.g., 3 invalid attempts allowed prior to the
system taking evasive action)?
Determine if system banners are displayed on the systems during the login process
to provide a warning against unauthorized access.
Ensure that Organization specific information is not included in the system banner
displays.
Determine if user names and / or passwords are hardcoded in logon scripts or
command procedures.
Determine if the systems have been configured to automatically logoff or lock a
terminal / workstation after a specified period of inactivity (e.g., greater than 15
minutes of inactivity)?
Determine if the systems have been configured to limit concurrent logins to a
single account.
Determine if system consoles have been appropriately secured to prevent
unauthorized access?

Generic / Shared Accounts

Objective: To ensure that the use of generic and shared accounts is limited and justified
by business need and to ensure that appropriate controls are in place over the use of these
accounts.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 11

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

Sub-Sec.

8.1

8.2

8.3

8.4

9.0

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Audit Step

Date

Ref.

Initials

Meet with security administration personnel to obtain an understanding of the

controls in place over generic / shared accounts:

Are generic / shared accounts used (i.e., OPERATOR, etc.)? If so, on what
basis?

Are system / security administrators aware of standards in place over the
assignment and use of these accounts?
Review the list of accounts acquired in step E 1.3 and identify all generic accounts
and accounts that appear to be shared accounts.
If generic or shared accounts are identified, discuss these accounts with
appropriate management to determine if the use of these accounts is reasonable
and based upon business requirements.
Determine if policies and standards regarding generic / shared accounts are being
met.

Remote Access
Objective: To ensure that appropriate controls are in place to control access to the
internal network and systems from a remote system.

9.1

10.0

Meet with security / systems administration personnel to obtain an understanding

of the controls in place over access to the organizations systems via modems and
other forms of remote access.

Are system / security administrators aware of standards regarding remote
access?

Are authentication devices utilized to control remote access?

Are modem phone numbers kept confidential?

System Boot Process

Objective: To ensure that appropriate controls are in place to ensure that only
authorized security settings and system services are initiated during the system boot / IPL
process.

10.1

10.2

Meet with security / systems administration personnel to obtain an understanding

of the controls in place over system boots / IPLs.
Ensure that boot command procedures are appropriately secured.

1.0

FILE & DIRECTORY PROTECTION

System Directories & Files

F
F

Objective: To ensure that system level security has been configured to appropriately
protect critical system directories and files.

1.1

1.2

1.3

1.3.1

Meet with security / systems administration personnel to obtain an understanding

of the controls in place over system directories and files.

Are system / security administrators aware of relevant standards regarding
the configuration of security over system directories and files?

Are procedures in place over the configuration of security for system
directories and files?

How are access rights for system directories and files determined and
assigned?

Who approves access rights for system directories and files?
Determine if corporate policies and standards exist regarding the configuration of
security over system directories and files for the operating platform under review.
Request reports from security / systems administration personnel which detail the
current security settings for critical system directories and files.
Determine which accounts and groups have been assigned access to the system
directories and files.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 12

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

1.3.2

1.3.3

F
F

1.4
1.5

2.0

Audit Step

Date

Ref.

Initials

Evaluate the appropriateness of the access rights assigned to the identified

accounts and groups.
Determine if universal access (i.e., world, everyone) has been granted to any of
the system directories or files.
Determine if appropriate system files have been encrypted (i.e., password files).
Determine if any scripts, command procedures, or applications have been
developed which have the ability to alter directory or file security.

Application Directories & Files

Objective: To ensure that system level security has been configured to appropriately
protect critical application directories and files.

2.1

2.2

2.3

2.3.1

2.3.2

2.3.3

3.0

Meet with security / systems administration personnel to obtain an understanding

of the controls in place over application directories and files.

Are system / security administrators aware of relevant standards regarding
the configuration of security over application directories and files?

Are procedures in place over the configuration of security for application
directories and files?

How are access rights for application directories and files determined and
assigned?

Who approves access rights for application directories and files?
Determine if corporate policies and standards exist regarding the configuration of
security over application directories and files.
Request reports from security / systems administration personnel which detail the
current security settings for critical application directories and files.
Determine which accounts and groups have been assigned access to the
application directories and files.
Evaluate the appropriateness of the access rights assigned to the identified
accounts and groups.
Determine if universal access (i.e., world, everyone) has been granted to any of
the application directories or files.

Production Data Directories & Files

Objective: To ensure that system level security has been configured to appropriately
protect critical production data directories and files.

3.1

3.2

3.3

3.3.1

3.3.2

3.3.3

Meet with security / systems administration personnel to obtain an understanding

of the controls in place over production data directories and files.

Are system / security administrators aware of relevant standards regarding
the configuration of security over production data directories and files?

Are procedures in place over the configuration of security for production
data directories and files?

How are access rights for production data directories and files determined
and assigned?

Who approves access rights for application directories and files?
Determine if corporate policies and standards exist regarding the configuration of
security over production data directories and files.
Request reports from security / systems administration personnel which detail the
current security settings for critical production data directories and files.
Determine which accounts and groups have been assigned access to the
production data directories and files.
Evaluate the appropriateness of the access rights assigned to the identified
accounts and groups.
Determine if universal access (i.e., world, everyone) has been granted to any of
the production data directories or files.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 13

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

G
G

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

Audit Step

Date

Ref.

Initials

REPORTING & AUDITING

1.0

Logging
Objective: To ensure that appropriate security events are logged to provide security
administration personnel with the ability to appropriately monitor system security.

1.1

1.2

G
G
G

1.3
1.4
1.5

Determine if security / systems administration personnel are aware of corporate

standards which exist for the configuration of system audit log facilities.
Evaluate the current configuration of the system audit log facilities:

Are appropriate events being logged?

Failed logon attempts

Failed file and object access attempts

Account and group profile additions, changes and deletions

Changes to system security configurations

System shutdown and restarts

Privileged operations

Use of sensitive utilities

Access to critical data files

Are audit entries written to appropriate log files / databases?

Are system audit facilities configured to start automatically during the boot /
IPL process?

Are current configurations in compliance with relevant policies and
standards?
Determine if audit log files are appropriately secured.
Determine if audit log files are backed up on a regular basis.
Determine if audit log files are archived on a regular basis.

2.0

Reporting
Objective: To ensure that appropriate reports are produced to summarize data recorded
in audit logs so that security events may be efficiently monitored on a timely basis.

2.0

2.1

3.0

Determine if security / systems administration personnel are aware of corporate

standards regarding security reporting.
Evaluate current security reporting processes and procedures:

Are security reports generated on a regular basis?

Are filters utilized to select data from audit log files to generate meaningful
and useful security reports?

Are automated reporting facilities active:

Alerts posted to system consoles

Automatic pages for specific security events

Automatic email messages generated for specific security events

Are current security reporting processes and procedures in compliance with
relevant policies and standards?

Monitoring
Objective: To ensure that appropriate processes and procedures are in place to monitor
security reports in order to detect security violations and unauthorized changes to system
security configurations in a timely manner.

3.1

Determine if security / systems administration personnel are aware of corporate

standards regarding the review of security audit logs.

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 14

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

Sub-Sec.

3.2

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Audit Step

Date

Ref.

Initials

Evaluate current monitoring procedures:

Are generated security reports regularly reviewed by appropriate security /
system administration personnel.

Are automated processes in place to monitor security events?

Are procedures in place to analyze trends in security events?

Are current monitoring processes and procedures in compliance with
relevant policies and standards?

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 15

PREPARED
BY:
APPROVED
BY:
Assigned

Sec.

AUDIT PROGRAM

Author: Lance M. Turcato

Logical Security

Audit Date:____________

Operating Systems - Generic

Sub-Sec.

Audit Step

Date

Ref.

Initials

Administration & Sign-off Reference

Program Prepared By:_______________________________
Signed:_______________________________
Program Approved By:_______________________________
Signed:_______________________________

Engagement Team (print):

Initials

____________________________

________

____________________________

________

____________________________

________

____________________________

________

____________________________

________

____________________________

________

Copyright 1999. Lance M. Turcato. All Rights Reserved.

Page 16